Requirements : Site that use X-forwarded-for Basic knowledge with SQLi (string based) Live HTTP headers Introduction : X-forwarded-for is often use to get the ip of user even though he uses a proxy. Example and explanation : PHP Code: function getip() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip = $_SERVER["REMOTE_ADDR"]; } This code create an ip variable with the real ip. PHP Code: if (preg_match("#^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#",$ip)) { return $ip; } else { return $_SERVER["REMOTE_ADDR"]; } } This code check if it's real ip but this code is vulnerable, why ? Because a regex has a beginning and a end. The beginning delimiter is ^ and the ending delimiter is $, note that the $ is missing. So the regex check only the beginning of the ip. If your ip is 127.0.0.1 the regex will send back true but if your ip is 127.0.01+whateveryouwant the regex will send back true too. PHP code that is vulnerable : PHP Code: $req = mysql_query("SELECT username,password FROM admin WHERE username='".sql($_POST['username'])."' AND password='".md5($_POST['password'])."' AND ip='".getip()."'"); Exploitation : First open Live HTTP headers then actualize the page : Note that the injection will be a string based. Now click on the url then click on replay and add :
Code: HdhCmsTest2cto测试数据
Then add a quote after your ip address and a nice error like that will be displayed : And now do your injection like string based, the most important thing is that you have to understand that the injection point is your ip in X-forwarded. Hope you learn something new 作者 http://hi.baidu测试数据/evilrapper/blog/item/518068a2b7b3148ccbefd0c5. html查看更多关于X-forwarded-for注入讲解 - 网站安全 - 自学php的详细内容...